Auditing Standards: GAAS, ISA, and PCAOB Explained

Most audit professionals don’t struggle with auditing standards because they don’t know them. They struggle because the real world doesn’t organize itself around a single framework.

GAAS covers your US private company clients. PCAOB governs the public ones. ISA applies everywhere else, and increasingly in some combination with the others. The teams that feel this most are the ones with complex, varied client portfolios: the firm auditing a US subsidiary of a foreign listed company, or the team managing a client mid-IPO who suddenly needs to shift frameworks entirely.

This guide is for those teams. It covers what each major standard requires, where they diverge, and what compliance looks like when you’re navigating more than one at a time.

What Are Auditing Standards, And Why Do They Exist?

Auditing standards are the rules that govern how an audit is planned, conducted, and reported. They define what qualifies as sufficient work, what documentation is required, and how auditors form and communicate their conclusions.

These are distinct from accounting standards, which govern how financial information is recorded and presented. Auditing standards govern how that information is independently examined and verified. 

The purpose of auditing standards comes down to three things: consistency, reliability, and trust. When an auditor signs off on a set of financial statements, stakeholders  (investors, regulators, lenders, boards) need to know that sign-off means something. Standards are what give it meaning, creating a common baseline that makes audit opinions comparable and defensible across firms, engagements, and markets.

The Three Major Frameworks: GAAS, ISA, and PCAOB

GAAS (Generally Accepted Auditing Standards)

GAAS is issued by the American Institute of Certified Public Accountants (AICPA) and applies to audits of non-public companies in the US. It provides the foundational framework for how private company audits are conducted.

GAAS is organized into three categories: general standards (covering auditor competence, independence, and professional care), standards of fieldwork (covering planning, internal control evaluation, and evidence gathering), and standards of reporting (covering how the audit opinion is formed and communicated).

One clarification worth knowing: GAAS was reorganized into AU-C sections in 2012 as part of the AICPA’s Clarity Project. The restructured standards brought GAAS into closer alignment with ISA, reducing, but not eliminating, differences between the two frameworks.

ISA (International Standards on Auditing)

ISA is issued by the International Auditing and Assurance Standards Board (IAASB) and serves as the global baseline for audit standards. It’s used across the UK, the EU, and the majority of countries worldwide, and is closely tied to IFRS reporting environments.

Where GAAS has historically been more prescriptive, ISA takes a principles-based approach. The practical effect: ISA requires more auditor judgment in applying requirements to specific circumstances, offering flexibility in how practitioners meet the underlying intent of each standard.

For any organization operating internationally or reporting under IFRS, and increasingly for US firms with clients in those environments, ISA fluency isn’t optional.

PCAOB standards

The Public Company Accounting Oversight Board (PCAOB) sets auditing standards for audits of US public companies. Established under the Sarbanes-Oxley Act (SOX) in 2002, the PCAOB operates with a mandate rooted in investor protection and public accountability.

PCAOB standards are more prescriptive than either GAAS or ISA, with particular emphasis on internal control over financial reporting, auditor independence, and documentation requirements. For any firm auditing companies registered with the Securities and Exchange Commission (SEC), PCAOB standards govern the engagement, and the stakes of non-compliance are significant.

Quick reference: which framework applies?

What A GAAS-compliant Audit Looks Like In Practice

Standards on paper are one thing. What they mean for day-to-day audit work is another. Ask any senior auditor what keeps an engagement on track and they won’t recite AU-C sections. They’ll talk about getting PBC documents on time, keeping workpapers current, and making sure evidence links back cleanly to every conclusion before the file closes. The standards set the bar. The operational work is how you clear it.

• Planning phase. The auditor begins by developing a thorough understanding of the entity: its business, its industry, its internal control environment, and the risks of material misstatement. Risk assessment drives everything that follows. The nature, timing, and extent of procedures are all shaped by what the auditor identifies here. A weak planning phase creates downstream problems that are difficult to correct.
• Fieldwork. This is where the audit opinion is built. The auditor gathers sufficient appropriate evidence through a combination of inquiry, observation, inspection, and analytical procedures. Internal controls are evaluated, and the results inform whether the auditor can rely on them or needs to expand substantive testing.
• Reporting. Based on the evidence gathered, the auditor forms a conclusion and expresses an opinion. GAAS sets clear requirements for what must be communicated and how, including any material weaknesses, significant deficiencies, or scope limitations that affect the engagement.

For practitioners, the points where manual processes create the most friction are also the points where compliance risk is highest: document collection from clients, version control across a live workpaper file, cross-referencing guidance while running procedures, and keeping evidence organized throughout the engagement rather than reconstructing it at the end.

Common Compliance Challenges Audit Teams Face

For all the clarity that auditing standards provide, applying them consistently is genuinely hard. Here are the challenges that come up most often.

• Managing evidence across large, dispersed teams. When multiple team members are working across different workstreams and locations, maintaining a coherent evidence trail takes active effort. Standards require documentation to be sufficient and appropriately linked to conclusions. That’s difficult when files are distributed across email threads, shared drives, and individual workpapers.
• Keeping documentation audit-ready throughout the engagement. There’s a tendency to treat documentation as a wrap-up task. The standards treat it as an ongoing responsibility. Teams that fall behind often find themselves reconstructing decisions after the fact, which is both inefficient and risky.
• Navigating multi-standard environments. A US-based firm auditing a subsidiary of a UK-listed company may need to apply both PCAOB and ISA requirements simultaneously. The overlap is significant, but the differences matter. Maintaining documentation that satisfies both frameworks requires a level of precision that’s difficult to manage without clear infrastructure.
• Keeping pace with standard updates. The AICPA, IAASB, and PCAOB all update standards on an ongoing basis. Staying current isn’t just a research task — it’s a workflow task. Teams need a way to ensure the guidance they’re applying reflects the current version, not the one from two years ago.

How Technology Is Reshaping Audit Standard Compliance

The audit profession has been appropriately cautious about technology adoption. Standards emphasize professional skepticism, auditor judgment, and independence. Any tool that compromises those principles creates risk rather than reducing it. But the conversation has matured considerably. The question now is how to use technology in a way that supports standards compliance, not whether to use it at all.

In audit specifically, the highest-value applications are operational: processing prepared-by-client (PBC) documents at scale, organizing and linking evidence to the relevant standard or procedure, and surfacing guidance without requiring manual research mid-fieldwork. These aren’t shortcuts around professional judgment. They’re ways to remove the manual overhead that surrounds it. 

What “sufficient appropriate evidence” means doesn’t change because AI is involved. Evidence gathered with technology assistance still has to meet the same sufficiency and appropriateness thresholds the standards have always required. What changes is the auditor’s ability to gather, organize, and link that evidence to the right procedures, and to document the process in a way that’s clean, traceable, and defensible.

Trullion’s Knowledge Room addresses one of the more persistent pain points in standards compliance: making sure the guidance teams are working from is current, centralized, and connected to the workflows where it actually gets applied. Rather than relying on individual team members to track updates and cross-reference frameworks manually, Knowledge Room gives audit teams an AI-accessible layer of standards, regulations, and firm methodology, so every workflow is grounded in the right guidance automatically.

The responsibility stays with the auditor. Technology enables, professional judgment decides. The firms getting this right aren’t treating AI as a shortcut. They’re treating it as infrastructure.

Auditing Standards Are The Floor, Not The Ceiling

GAAS, ISA, and PCAOB each represent a minimum standard of quality. Meeting them is necessary. Doing audit work well – consistently, with documentation that holds up under scrutiny – requires more than knowing the rules.

It requires the right processes, the right tools, and teams that aren’t spending their time on work that shouldn’t be manual in the first place.

Trullion helps audit teams apply these frameworks without the manual overhead: centralizing the standards and guidance that inform every workflow, reducing friction in evidence management, and keeping documentation audit-ready from day one. Book a demo to see how it works in practice.